Product Images are Not Loading - Still

creativologist · 3 October 2025 00:12

i see posts about this back to 2014 and I don’t see any solutions

the URL in the page source points to:

https://mycrm.com/legacy/upload/F6952BE7-32C5-76F5-3631-851C84ACF10F_myproductimage.jpg

(it automatically appends those numbers and letters to the file name when uploading)

The actual directory is /public/legacy/upload

Going the link in the source code brings a 403 error

uploads folder has .htaccess with this

	Order Deny,Allow
	Deny from all

Any thoughts?

thanks

pstevens · 3 October 2025 01:28

do you have your document root set to domainname/public ? This will ensure that the URL works properly.

creativologist · 3 October 2025 01:48

Yes.
DocumentRoot /var/www/crm/public

BastianHammer · 3 October 2025 04:10

Hello Vincent,

the issue is within the /public/legacy/.htaccess file:

If you change it from:

RedirectMatch 403 (?i)/+upload

to:

RedirectMatch 403 (?i)/+upload/$
(allow images within the folder, but not the folder itself)

or comment this one out entirely:

# RedirectMatch 403 (?i)/+upload/$
(allow all access to the upload directory)

However, one would have to contemplate the security implications about this.
The upload folder contains an index.html with content that doesn’t give away much.
If one can guess IDs / paths of contents, this is they way to make it publicly accessible - so careful with this approach.

I’ve updated the issue on Github:

github.com/SuiteCRM/SuiteCRM-Core

Product/Image not showing

opened 11:31AM - 28 Aug 22 UTC

borisko1980

Type: Bug Priority:Important Type:Suite7

#### Issue When assigning a picture to a product, the actual image gets stored …in public/legacy/upload where it is not accessible as per .htaccess restrictions In the database only a link to image is stored, "site_url/upload/image..." - which does not correspond to actual location of file #### Expected Behavior Uploaded product image should show up #### Actual Behavior Uploaded image does not show ( despite being uploaded ) #### Possible Fix multiple choices here - more of a system architect choice. a) create an public/upload folder and move the uploaded image there, instead of public/legacy/upload b) fix the image link to reflect actual location and allow access to public/legacy/upload ( I suspect this could be a security issue ) c) above choices would probably expose image to users not logged in, so perhaps a more robust solution could be thought of - simplest of all maybe inlining image data #### Steps to Reproduce 1. create a new product 2. select an image for it 3. save the record 4. view the record - no image, just broken link #### Context #### Your Environment * SuiteCRM Version used: 8.1.3 * Browser name and version: any browser * Environment name and version: not applicable * Operating System and version: server is Debian Bullseye

Add your comments as well, to get more visibility - CRM without images is a bad idea

creativologist · 3 October 2025 13:34

Thanks Bastian. I do not wish to open up security holes so band-aid fixes won’t work.

However I have just tried that to test and it doesn’t work for me.

Failed to load resource: the server responded with a status of 403 (Forbidden)

Do I need to "rebuild htacess files? What is …htacces.swp file?

Is this in your uploads folder?

	Order Deny,Allow
	Deny from all

BastianHammer · 3 October 2025 14:03

That’s the “swap” file from some editor - in case the editor crashed our you got disconnected from the SSH shell session.
You can delete it and then double check your .htaccess

It worked right away for me - that’s more of a server thing than SuiteCRM.

What is this? A file? What’s it’s name?

My vhost:

<Directory /var/www/suite89.demo/public>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

Nothing specific about the upload folder.

creativologist · 3 October 2025 14:52

Order Deny,Allow
Deny from all

Is the .htaccess file in UPLOADS folder.

BastianHammer · 3 October 2025 14:57

Interesting.
I don’t have a .htaccess in my upload folder.

Anyway, simple to test: Make a backup and delete it - see whether it works then.

creativologist · 3 October 2025 15:02

Ah, that fixed it. The images now show.

What should I do with THAT htacess file in upload directory?

BastianHammer · 3 October 2025 15:14

It seems to be coming from older versions.
You’re working on an upgraded system?
All the newer 8.8.x, 8.9.x installations don’t contain it - only the older, upgraded once that I’ve just checked.

If you’re steering restrictions of the upload folder from the parents folder .htaccess, you’ve got a redundancy. You don’t need the upload/.htaccess.

What to do, to make the upload folder non accessible for the internet, but for SuiteCRM is a bigger topic, probably best to be followed via this Github ticket.

creativologist · 3 October 2025 15:28

I will delete it thanks

I commented on the ticket and will follow that

markbond · 7 October 2025 16:05

@creativologist

I would point out that the commands:

Order Deny,Allow
Deny from all

are depreciated commands from Old apache (pre 2.x) and are set to deny any access to that folder anyway, so it looks “wrong” either way. Glad you got it solved however.

Regards

Mark

BastianHammer · 8 October 2025 06:20

Exactly, you’re right - it’s probably just a tiny fix.
I’ve created an issue for it:

github.com/SuiteCRM/SuiteCRM-Core

Upgrade doesn't delete old htaccess file, which prevents product images from showing up

opened 06:17AM - 08 Oct 25 UTC

BastianHammer

Type: Bug

### Issue For fresh 8.7, 8.8 or 8.9 installations, there is no file: `public/le…gacy/upload/.htaccess` For upgraded versions 7 to 8 (and maybe early 8.x to more recent 8.8+ - haven't tested all available installations, yet) the file remains from the initial install. The file contains: ``` Order Deny,Allow Deny from all ``` Two issues: 1. That's deprecated: > The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use. https://httpd.apache.org/docs/2.4/howto/access.html 2. It'll prevent product images from showing up https://community.suitecrm.com/t/product-images-are-not-loading-still/100234/4 ### Possible Fix Remove the file during the upgrade ### Steps to Reproduce the Issue ```bash 1. Upgrade an older Suite to 8.7+ 2. Create a product with an image 3. Open the product details view page ``` ### Context If I enter this into my browser (on a 8.9): url.com/legacy/upload/ I get: ``` Forbidden You don't have permission to access this resource. ``` So probably all good already. If I enter an existing file, I can see it in the browser: legacy/upload/2cad5fdc-e137-46a0-a738-fb48899103ae ### Version 8.7+ after an upgrade from a 7 (and maybe earlier 8) ### What browser are you currently using? Firefox ### Browser Version _No response_ ### Environment Information MySQL, PHP 8.3 ### Operating System and Version Ubuntu 24

creativologist · 8 October 2025 14:50

By the way, there was also an .htaccess in the logs directory that prevented me from writing to logs. I deleted that one also

markbond · 17 October 2025 14:58

@BastianHammer

Just working on something else, it seems there is a rebuild htaccess option in the repair menu, that creates this file with these options in it.

Mark

BastianHammer · 17 October 2025 16:06

Hello Mark,

true - there are multiple Admin actions / settings from Suite7 in the admin area which don’t apply or wouldn’t be handled in the same way in Suite8 anymore.
In this case, it seemingly creates an issue in a Suite8 system. I’m usually a bit careful with the repair options, other than the (in)famous quick repair & rebuild.

markbond · 17 October 2025 16:09

@BastianHammer

Yes only noticed because a client running Suite on Azure Container keeps having to click the rebuild htaccess for some reason and noticed it contains these depreciated commands.

Mark

Tic-Tac · 28 January 2026 12:00

Hello everyone!

This problem was introduced after version 8.5.1, cause images work there. Also the images not working is not limited to the products, it also applies to avatars.

The .htaccess thing? I think it is Apache specific. What about those who use nginx?

rsp · 28 January 2026 14:41

Yeah, lots of users use nginx to run SuiteCRM.